From: Matthijs Mekking <matje@nlnetlabs.nl>
Date: Mon, 29 Oct 2012 14:06:00 +0000 (+0000)
Subject: Fix validation for responses with CNAME and wildcard expanded CNAME in
X-Git-Tag: release-1.4.19rc1~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=79ffc1ab8104247081561a4d88d1cff1f64ba793;p=thirdparty%2Funbound.git

Fix validation for responses with CNAME and wildcard expanded CNAME in
ANSWER section.



git-svn-id: file:///svn/unbound/trunk@2777 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index b32753cad..32d4fceeb 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+29 October 2012: Matthijs
+	- Fix validation for responses with both CNAME and wildcard
+	  expanded CNAME records in answer section.
+
 8 October 2012: Wouter
 	- update ldns-testpkts.c to ldns 1.6.14 version.
 	- fix build of pythonmod in objdir, for unbound.py.
diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl
new file mode 100644
index 000000000..12f83e82b
--- /dev/null
+++ b/testdata/val_cnametocnamewctoposwc.rpl
@@ -0,0 +1,208 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DNSKEY  257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with a regular cname to wildcard cname to wildcard response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	120	IN	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdWzfjQD2bfQuoQGNYuS0ByosBxiTkoKcy9kMoWOQ/jx9rvTRhHImWxTxFtIyZOoRgn6E6mE71e5Y1q1nuyH544Em+4rNRMMW4bzecQmMmPk+B97MqW9aW6e4BwiCTt52IGfL++5GORYcaITw9UOlQLYH1oHHUNUC6ebHENofLTj ;{id = 64050 (zsk), size = 1024b}
+example.com.	3600	IN	DNSKEY	257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b ;{id = 46426 (ksk), size = 1024b}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20121126123249 20121029123249 46426 example.com. pisNb/A40XDEiMpcYtxc+yO6osISyfpqz+0UZ61pd70+TLXMF197zr9SqOVJHyRI6G2lSnFggxYrZDpxLbxOW0RY/KfjD3xlI14M/2DieJ1NdlQuYFGgTwxcoINUJ/wRd4YUxkF4JS0D4NBdQ0yQYR0KqDr84oyhnULEHX6WB7s=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. uN8+hg2b9kqpso4zTtpb8CdkGkgOdlbayH1Ui7NVSi1Y8un8FDG4NHy2gpCi0zIMpeAOa5bENe3cdTEwYZKHQdvnGjaI/zFWpFAzXsEFg0VlLxDQXSzRB6GtoFoUEYiZBHsmLIy3zWjuihlWK9fRzyPyVtBDDmqU8KK7+H3BYp0=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126131826 20121029131826 64050 example.com. L/EsWsRNhM0Lt8877XYfm0FkVc+utuRPYlW/yxEi/Nzs/mTb9BMrOygsW0qfpYakYgfFvinR7S7ce9/naWidzGkWKYR85g2WFms3/TgchpmfjZHEsNyuT8zsiGrj3bQ3RxpT5cmt/IS2QlOak/RhdtawKfd9aqkMTVpP2idEQwY=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.wc.example.com. IN A
+SECTION ANSWER
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126131826 20121029131826 64050 example.com. L/EsWsRNhM0Lt8877XYfm0FkVc+utuRPYlW/yxEi/Nzs/mTb9BMrOygsW0qfpYakYgfFvinR7S7ce9/naWidzGkWKYR85g2WFms3/TgchpmfjZHEsNyuT8zsiGrj3bQ3RxpT5cmt/IS2QlOak/RhdtawKfd9aqkMTVpP2idEQwY=
+ENTRY_END
+
+ENTRY_BEGING
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.end.example.com. IN A
+SECTION ANSWER
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+RANGE_END
+
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+start.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. uN8+hg2b9kqpso4zTtpb8CdkGkgOdlbayH1Ui7NVSi1Y8un8FDG4NHy2gpCi0zIMpeAOa5bENe3cdTEwYZKHQdvnGjaI/zFWpFAzXsEFg0VlLxDQXSzRB6GtoFoUEYiZBHsmLIy3zWjuihlWK9fRzyPyVtBDDmqU8KK7+H3BYp0=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126131853 20121029131853 64050 example.com. NQTIY1uMK1jxVMHOaMB4shedyhdAERZuPiZXytfqSH36hDVMf1C8tSxdbCjJ90lOLEWNtMmT09l5kh14gp1XIaBHzLuDsYmZJVeudBGCaQRkbM5focd2VMd8V4hHQk4odwsRrSY6IETftHeqeFiRifru/rI3x5Dlv8awI6V5TZI=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126131826 20121029131826 64050 example.com. iS1Pe45xt8SLGlmfmrSPTrnIAlwpIX8leTrsoLgpQJc98aA0XJmO/D32CbMTRZzAM1oBVggm80ht2RIQkX3W1NvN/prcu+Gp0Zrm0rtW+7Q7VwcSbo7jyHh5K8Mppp2OsCleexco5NVAKpDMvD0nyG+CsKtNMQpKK2DlumQsraE=
+SECTION AUTHORITY
+*.wc.example.com.	86400	IN	NSEC	www.example.com. CNAME RRSIG NSEC 
+*.wc.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131853 20121029131853 64050 example.com. YrmCLu0uGgD2gcU4p12BGnUGYcrKmfg82MJHSF5OnVmmJxXiSbSBnZPahbJNGA/kPLt+SlDyBTcssZKXWxM6bW7WF57OwffOj7rMyr5vhx7J6OsuWKotPVqnUFDx9j/rOum24yCKqoBWvpW/RYUHLuX1Wm05WMCgNWhuN4wqwiU=
+*.end.example.com.	86400	IN	NSEC	escapedtext.example.com. A RRSIG NSEC 
+*.end.example.com.	86400	IN	RRSIG	NSEC 8 3 86400 20121126131826 20121029131826 64050 example.com. P6uJSImaee+5NHlTP06pMxgO69qxjJc0Uo1+htjVyE8f15MhG8A7NttvzggbtyzmfLMPr7TilM+Mm7hC3pIk/TeBEdH8p+8qypnY0NzPntz5z1+6C6ZTjDXp6NxDwMz7th31r3B3u4xo/K4qMnXmrAFOIE5Lopk0uDGXfjKPCKE=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126131826 20121029131826 64050 example.com. NgY7UAdkXprnCi/O6c5XoB82tqLBd1bY9LmDG9wwN0zEUR5aHQcOmX9waHyqXQI86SOFQbGCvO2wDLqdqWniw1IYf4S66Vf9KrpaH2gVbvHKiEpGJPeDYQcD5xkv50Lsp4ktcLyuO/dk8ORCP7E2yC5IQVNeFgUfaqttZcJoxuQ=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
new file mode 100644
index 000000000..d6e92d89a
--- /dev/null
+++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
@@ -0,0 +1,206 @@
+; config options
+; The island of trust is at example.com
+server:
+	trust-anchor: "example.com.    IN      DNSKEY  257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b"
+	val-override-date: "-1"
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with a regular cname to wildcard cname to wildcard response
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	120	IN	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 8 AwEAAdWzfjQD2bfQuoQGNYuS0ByosBxiTkoKcy9kMoWOQ/jx9rvTRhHImWxTxFtIyZOoRgn6E6mE71e5Y1q1nuyH544Em+4rNRMMW4bzecQmMmPk+B97MqW9aW6e4BwiCTt52IGfL++5GORYcaITw9UOlQLYH1oHHUNUC6ebHENofLTj ;{id = 64050 (zsk), size = 1024b}
+example.com.	3600	IN	DNSKEY	257 3 8 AwEAAdL6YJdvoKQJEt/SgB6MrbQ2RDwnrcQQb6bDE8FpGgLen6hvF31ntVsZ3RZzhCmwL6lvumOLFIRKaP9ZBEVutT9iMoF2dNRbT0TCUrv6uQNHcuCZ0BJhuDNBU42f3yOnfFv7PKxd0NP+yFHJkvDQAVLMB5GeUQuYnvgQGeZsf/3b ;{id = 46426 (ksk), size = 1024b}
+example.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20121126123249 20121029123249 46426 example.com. pisNb/A40XDEiMpcYtxc+yO6osISyfpqz+0UZ61pd70+TLXMF197zr9SqOVJHyRI6G2lSnFggxYrZDpxLbxOW0RY/KfjD3xlI14M/2DieJ1NdlQuYFGgTwxcoINUJ/wRd4YUxkF4JS0D4NBdQ0yQYR0KqDr84oyhnULEHX6WB7s=
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSDpLRAOI1PybTJkwrMvgDKfp0ycT4HwsLVy7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx19ZVeClTFMOLotCK8xMHACYJIY39BhTwD2D3r9BxbK+RopUlXypwV02yzdY2xEnPCBJVDUn5d0g=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+; H(z.wc.example.com.) = isn85psesctb6afn2q105mv966tqqepi.
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+; H(z.end.example.com.) = a62608t4becqb6233m87ar7a3648rj3b.
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.wc.example.com. IN A
+SECTION ANSWER
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGING
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.y.z.end.example.com. IN A
+SECTION ANSWER
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+RANGE_END
+
+
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+start.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+start.example.com. IN A
+SECTION ANSWER
+start.example.com.	3600	IN	CNAME	x.y.z.wc.example.com.
+start.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. LHpx5n++Z0Jgjjalac+e7wdYSbfurqSDpLRAOI1PybTJkwrMvgDKfp0ycT4HwsLVy7spumZ/Ahg/5II9pai7jCiqv1Iyh6fx19ZVeClTFMOLotCK8xMHACYJIY39BhTwD2D3r9BxbK+RopUlXypwV02yzdY2xEnPCBJVDUn5d0g=
+x.y.z.wc.example.com.	3600	IN	CNAME	x.y.z.end.example.com.
+x.y.z.wc.example.com.	3600	IN	RRSIG	CNAME 8 3 3600 20121126123316 20121029123316 64050 example.com. BCnT6CIuqvF1U9LfiHIovgvXIVFJsCXqQWmnjHtbFvzUlTlfGj+56YBSOEpyCep4CBJ0CBgZ8gl5kWip8N+sTlveU/UWMv4FAkqLXRYjp4CZegslmJIuXU5uS+Q0GlLbWdSB9ZCZcbbO0qrOtUfrJ2ozcSTCS+D+oIZ+CkwvDlQ=
+x.y.z.end.example.com.	3600	IN	A	1.2.3.5
+x.y.z.end.example.com.	3600	IN	RRSIG	A 8 3 3600 20121126123249 20121029123249 64050 example.com. MyXXd3MvXtEYVNqWDepM3+Ra/j/b63QehzSHXZe5gL954WxW8KGHPYmeWyhDtruThpZS6s6jeARY2xt0lmEDnMgNyPJGA6UWwTIgvGD0u9Qw5kocCq3ZH4cSG4xu4rmZoi+h8OGrHxUb4jIKzipzAQDxhnAcp/wKF7e+p+OE+Fo=
+SECTION AUTHORITY
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	NSEC3	1 0 1 abcd  isoaarjsq14bkqaamivn1t1milkv95lc A RRSIG 
+isjq5aarcp8p5sukc56g961cccjus5u2.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123259 20121029123259 64050 example.com. Cxwzq1DUQvhkTVHEJHlb92c511Y+uJy/C0yL9br6W/5lB/usuSiK2DjW58ibPh2kLH1P3SpGqd1Y7LigptdXoPBDFakcNcimPWCN93R3J80+vrHHPkPyIsBaywwYI3SNGgfnHfPF+wmH+tZ1vfEHbigOxqPFK+T0ntKq7dkSndg=
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	NSEC3	1 0 1 abcd  a64lt5ij9a1up15h5cdsn1u2071901hu A RRSIG 
+a61sejfu6am5a36p628t4s089s309o44.example.com.	86400	IN	RRSIG	NSEC3 8 3 86400 20121126123315 20121029123315 64050 example.com. gfBu4oqo9cVxJbqrw2Ly7mK638kGPOF8l8eh7ovalniwkU3F+PNYJyfSE9yGX8tMGbXrkEW9mAzAh39igr2+Bbzi9WPTRp4RDVM0qw+eyMmQRPWKt7FeanDtP+OcdVp0Hf2aPzsgmgTdS6s0AboUq1rX53H2M6F8xAiwPrBJXDQ=
+example.com.	3600	IN	NS	ns.example.com.
+example.com.	3600	IN	RRSIG	NS 8 2 3600 20121126123249 20121029123249 64050 example.com. cpLjgKPacNxVIGo59tYMZ98GVYpH28WHRWj3AeIHK0StYFcAlflGLdkae1LEgMwfUmzrayrA5GMe3AH8LyuTgA2Dn1oNFxGfuShQvK2MFQ+LxvQfiuoqlAlL5Aa94IWcSoU/wLrr66I1K8oSB2yK1Tyyv73c2N40D1mBbzIE70U=
+SECTION ADDITIONAL
+ns.example.com.	3600	IN	A	1.2.3.4
+ns.example.com.	3600	IN	RRSIG	A 8 2 3600 20121126123249 20121029123249 64050 example.com. zxGyimwFsd39j8T7jJ+tSAQPwZ7tjk6HHmzosTMCRePM4k4newbLb5HbrpucSiW/plaEZvjRTDTJ6bPkw0msPXjPCI/22Zh236XO5vhGtMOlxDgAEazuhifVF6UsM7GZwONPBCvw705HgWQyCR1YlTK2w9ffH3GopU9f4oP7Pmk=
+ENTRY_END
+
+SCENARIO_END
diff --git a/validator/validator.c b/validator/validator.c
index d8f9bbcc4..10b0a243c 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -1023,6 +1023,13 @@ validate_cname_response(struct module_env* env, struct val_env* ve,
 			chase_reply->security = sec_status_bogus;
 			return;
 		}
+
+		/* If we have found a CNAME, stop looking for one.
+		 * The iterator has placed the CNAME chain in correct
+		 * order. */
+		if (ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) {
+			break;
+		}
 	}
 
 	/* AUTHORITY section */